# Exploit Title: Metform Elementor Contact Form Builder v3.1.2 - Unauthenticated Stored Cross-Site Scripting (XSS)  
# Google Dork: inurl:metform-form intext:textarea|message  
# Date: 14/01/2023  
# Exploit Author: Mohammed Chemouri (  
# Vendor Homepage:  
# Software Link:  
# Version: <= 3.1.2  
# Tested on: WordPress version 6.1.1, PHP version 8.0.27 (64bit)  
# CVE : CVE-2023-0084  
An unauthenticated attacker can insert a persistent malicious JavaScript  
code via the text-area field and because the input is not properly  
sanitized the XSS will be executed each time the victim visits the affected  
An attacker can steal admin’s session or credentials e.g., using a phishing  
attack (display fake login page) and may install a JavaScript backdoor like  
the Browser Exploitation Framework (BeeF). ,etc.  
Reproduction Steps:  
1- Create a new form (using MetForm Elementor widgets) and insert a  
text-area field and a submit button then publish the form.  
2- Visit the created form (no login needed) and insert the following  
JavaScript code in the text-area and submit:  
3- By visiting MetForm then Entries from the WP-ADMIN panel and viewing the  
inserted post the XSS payload will be executed.  
Because there is may bots scanning the web and trying to brute-force  
admin's credentials or exploit known vulnerabilities this flaw can be also  
automated to steal credentials or do actions on behalf of the logged in  
user or even install a JavaScript worm like the Browser Exploitation  
Framework (BeeF) and make more than 100,000 websites under a high risk.  
All fields must be properly sanitized and escaped before being displayed in  
the browser. WordPress already offers an API for this purpose.  
For more information please refer to: